Closed Bug 810626 Opened 12 years ago Closed 12 years ago

WebRTC use-after-free crash [@ mozilla::TransportLayer::SetState]

Categories

(Core :: WebRTC, defect, P1)

Product:
Core
Component:
WebRTC
Platform:
x86_64
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox17 --- disabled
firefox18 --- disabled
firefox19 --- disabled
firefox20 + fixed
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected
b2g18 --- disabled

People

(Reporter: posidron, Assigned: ekr)

References

Details

(Keywords: crash, csectype-uaf, sec-critical, Whiteboard: [asan][WebRTC][blocking-webrtc+][qa-][adv-main20-])

Crash Data

Attachments

(1 file)

callstack
20.79 KB, text/plain
Details
Attached file callstack 
alloc: media/webrtc/signaling/src/mediapipeline/MediaPipeline.h:58
    if (!muxed_) {
      rtcp_transport_->SignalStateChange.connect(this,
                                                 &MediaPipeline::StateChange);


free: media/webrtc/signaling/src/mediapipeline/MediaPipeline.h:178

  virtual ~MediaPipelineTransmit() {
    if (stream_ && listener_){
      stream_->GetStream()->RemoveListener(listener_);


re-use: media/mtransport/transportlayer.cpp:48

    SignalStateChange(this, state);


Tested with m-c changeset: 112919:ea5c4c1b0edf
ekr: have you looked at this?  It's a sec-critical (though mitigated by only being accessed behind a pref).  (Would that be status-firefoxNN: disabled?)
Yes. I suspect this will be fixed by the big lock patch. I agree it's not good.
Eric: please link it as a dependency of the big lock patch.  Thanks
Doesn't look crash test worthy at the moment, unless there's a reproducible test case from HTML that exists that I'm not seeing.
Flags: in-testsuite-
Re-test when the peer connection lock patch lands.
Priority: -- → P1
Whiteboard: [WebRTC][blocking-webrtc+]
See Also: → 808546
Jason, has the lock patch landed?
status-firefox20: --- → affected
tracking-firefox20: --- → +
Flags: needinfo?(jsmith)
Redirecting question to ekr
Flags: needinfo?(jsmith) → needinfo?(ekr)
No.
Flags: needinfo?(ekr)
Crash Signature: [@ mozilla::TransportLayer::SetState]
Summary: WebRTC use-after-free crash [@mozilla::TransportLayer::SetState] → WebRTC use-after-free crash [@ mozilla::TransportLayer::SetState]
Excerpt from the attached callstack for better querying on Bugzilla:

    #0 0x1089cbfb6 in std::_List_const_iterator<sigslot::_connection_base2<mozilla::TransportFlow*, mozilla::TransportLayer::State, sigslot::single_threaded>*>::operator++ stl_list.h:224
    #1 0x1089cb5f1 in sigslot::signal2<mozilla::TransportFlow*, mozilla::TransportLayer::State, sigslot::single_threaded>::operator sigslot.h:2409
    #2 0x1089d11e7 in sigslot::signal2<mozilla::TransportLayer*, mozilla::TransportLayer::State, sigslot::single_threaded>::operator sigslot.h:2411
    #3 0x1089d0de8 in mozilla::TransportLayer::SetState transportlayer.cpp:48
    #4 0x1089daaf9 in mozilla::TransportLayerDtls::Handshake transportlayerdtls.cpp:671
    #5 0x1089d96bb in mozilla::TransportLayerDtls::PacketReceived transportlayerdtls.cpp:692
Lock patch landed. We need to see if this reproduces on trunk.
Cristoph - any sign this is still occurring?
Flags: needinfo?(cdiehl)
Nope. I am not seeing it anymore.
Flags: needinfo?(cdiehl)
Closing per above; please re-open if it recurs in ASAN testing. Thanks!
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [WebRTC][blocking-webrtc+] → [WebRTC][blocking-webrtc+][qa-]
Looks like this patch did land on 20 in bug 792175 so marking the status flag accordingly.
status-firefox20: affectedfixed
Whiteboard: [WebRTC][blocking-webrtc+][qa-] → [asan][WebRTC][blocking-webrtc+][qa-][adv-main20-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: